Researchers Link NotPetya Outbreak and Kiev Power Grid Outage to one Hacking Group

Depending on how one looks at the world, coincidence is either a common thing or doesn’t exist at all. In the world of cyberthreats, it would seem the latter is the more common conclusion. New research shows the NotPetya ransomware attack, as well as a disruption of Ukraine’s power grid, are linked together by one common denominator.

The Industroyer Backdoor Threat

Security researchers often wonder if there are any hidden connections between recent disruptive cyber threat events. In early 2017, the NotPetya ransomware outbreak caused a massive problem on a global scale. Numerous institutions and companies were affected by this malware, which attempted to extract Bitcoin from all of its victims.

A year prior, a massive power grid disruption caused issues in Kiev, the capital city of Ukraine. Although that disruption was clearly caused by a hacker, it now seems there is a bigger reason for that particular development. In fact, the Kiev attack and NotPetya are not necessarily two separate incidents, as they are both linked to the infamous Industroyer backdoor.

For those who are not familiar with that name, Industroyer is a piece of code which has tried to attack Ukrainian services for some time now. Although its success in the country was relatively limited, the tool itself serves as a platform both NotPetya and the successful attack on Kiev’s power grid. Any previous concerns regarding NotPetya following in WannaCry’s footsteps were discredited by these findings, as the former is incapable of decrypting a hard disk after a payment is made, Instead, it erases all data regardless.

ESET researchers explain their findings as follows:

“As can be seen from the first line of the configuration, the attackers are grouping their targets based on the security solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.”

With these findings being made public, ESET has seemingly uncovered a connection between major cyberattacks which everyone else overlooked. It ties one single group to these attacks, albeit the origin of this group remains unclear. Nor is it clear if they are still in operation today, albeit it seems safe to assume such a powerful group may not necessarily back down anytime soon either.

All of this puts an entirely new spin on the ransomware distribution industry. Although a lot of efforts are small-scale, there are some bigger plans put in motion. That is a very worrisome outlook for our society, as none never knows what the next attack might lead to. Shutting down a power grid evolved into briefly crippling major companies on a global scale. One can only speculate what comes next, albeit the outlook isn’t exactly promising.